· Blog  · 7 min read

DATA Protection Policy NRHS

NYANZA REPRODUCTIVE HEALTH SOCIETY (NRHS) DATA PROTECTION POLICY Office Tel: (+254) 57 202 3903 Office Mobile: (+254) 713 113 275 / (+254) 733 912...

NYANZA REPRODUCTIVE HEALTH SOCIETY (NRHS) DATA PROTECTION POLICY Office Tel: (+254) 57 202 3903 Office Mobile: (+254) 713 113 275 / (+254) 733 912...

NYANZA REPRODUCTIVE HEALTH SOCIETY (NRHS)

DATA PROTECTION POLICY

Office Tel: (+254) 57 202 3903
Office Mobile: (+254) 713 113 275 / (+254) 733 912 605
Address: PO Box 1764 -40100, Kisumu, Kenya

Introduction

Recent concerns about the security of personal data stored in institutions have led to Governments enacting data protection regulations. Consequently, in 2019 Kenya enacted its own Data Protection Act. The regulations seek to protect the privacy of individuals by enforcing responsible processing of personal data. This includes embedding principles of lawful processing, minimizing the collection of data, ensuring the accuracy of data and adopting security safeguards to protect personal data.

Policy Statement

Nyanza Reproductive Health Society (NRHS) is committed to complying with all relevant Kenyan legislation and applicable global legislations. NRHS recognizes that the protection of individuals through lawful, legitimate, and responsible processing and use of their personal data is a fundamental human right.

NRHS will ensure that it protects the rights of data subjects and that the data it collects, and processes is done in line with the required legislation. NRHS staff and all of its affiliated parties must comply with this policy, breach of which could result in disciplinary action.

Purpose

This policy provides guidance on how NRHS will handle the data it collects. It helps NRHS comply with the data protection law, protect the rights of the data subjects and protects NRHS from risks related to breaches of data protection.

Scope

This policy applies to:

a) Employees of NRHS and all of its affiliated parties, including the Board, implementing partners, suppliers, contractors, and other third parties (where NRHS is the "Controller" for the personal data being processed), whether those parties handle NRHS information manually or electronically or if others hold it on their systems on NRHS's behalf;

b) All personal data processing that NRHS performs on behalf of others (where NRHS is the 'Processor' for the personal data being processed); and

c) All formats, including printed and digital material, text and images, records and documents, data, and audio recordings.

Definitions

  • A "data controller is a legal person, public authority, agency, or other body that, alone or jointly with others, determines the purpose and means of the processing of personal data.
  • A "data processor is a legal person, public authority, agency, or other body that processes personal data on behalf of the data controller.
  • Data subject means an identified or identifiable natural person who is the subject of personal data.
  • Personal data means any information relating to an identified or identifiable natural person.
  • A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
  • Sensitive personal data means data that reveals the natural person’s race, health status, ethnic, social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses’ sex, or the sexual orientation of the data subject.
  • Processing data means any operation or sets of operations performed on personal data whether or not by automated means, such as:
    (a) collection, recording, organization, structuring;
    (b) storage, adaptation or alteration;
    (c) retrieval, consultation or use;
    (d) disclosure by transmission, dissemination, or otherwise making available; or
    (e) alignment or combination, restriction, erasure or destruction.

Principles

NRHS will ensure that data is:

a. Processed in accordance with the right to privacy of the data subject

b. Processed lawfully, fairly, in a transparent manner, and in line with the right to privacy

c. Collected only for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with that purpose

d. Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is to be processed

e. Accurate and, where necessary, kept up-to-date

f. Not kept in a form that permits identification of data subjects for longer than is necessary for the purposes for which the data is processed

g. Processed in a manner that ensures its security using appropriate technical and organizational measures to protect against unauthorized or unlawful processing and accidental loss, destruction, or damage

h. Not transferred out of Kenya unless there is proof of adequate data safeguards or measures or consent from the data subject

Data Protection Officer

NRHS has designated the Director to be the Data Protection Officer (DPO). Accordingly, the DPO will:

  • Advise NRHS staff on requirements for data protection, including data protection impact assessments
  • Ensure that NRHS complies with the legal requirements for data protection
  • Facilitate the capacity-building of staff involved in data processing operations
  • Cooperate with external regulators on matters relating to data protection

Contact: fotieno@nrhskenya.org

Duty to Inform

NRHS has a duty to inform data subjects of their rights before processing data. NRHS will therefore inform the data subjects of their rights:

a) To be notified the fact that their personal data is being collected

b) To be informed of the use to which their personal data is to be put

c) To access their personal data in NRHS’s custody

d) To object to the processing of all or part of their personal data

e) To the correction of false or misleading data

f) To deletion of false or misleading data about them

g) To lodge a complaint to the Data Officer

Lawful and Fair Processing of Data

NRHS will only process data where they have a lawful basis to do so. Processing personal data will only be lawful where the data subject has given their consent for one or more specific purposes or where the processing is deemed necessary:

a) For the performance of a contract to which the data subject is a party

b) For participation in a research study for which the data subject is a participant

c) To comply with the NRHS’s legal obligations

d) To perform tasks carried out in the public interest or the exercise of official authority

e) To protect the vital interests of the data subject or another person

f) To pursue NRHS’s legitimate interests where those interests are not outweighed by the interests and rights of data subjects

g) For historical, statistical, journalistic, literature and art or scientific research

Minimization of Collection

NRHS will not process any personal data for a purpose for which it has not obtained consent. Should such a need arise, then consent must be obtained from the data subject.

NRHS will collect and process data that is adequate, relevant, and limited to what is necessary. Staff must:

  • Not access unauthorized data
  • Only collect data necessary for duties
  • Delete, destroy, or anonymize data no longer needed

Accuracy of Data

NRHS must ensure that personal data is:

  • Accurate
  • Kept up-to-date
  • Corrected or deleted without delay

Safeguards and Security of Data

NRHS has instituted data security measures outlined in its Information Security Policy and procedures.

NRHS will maintain records showing consent was obtained before processing personal data. Data will not be processed after withdrawal of consent.

Processing Data Relating to a Child

NRHS will not process child data unless:

  • Consent is given by a guardian or parent
  • Processing protects the best interests of the child

Data Protection Impact Assessment

NRHS will undertake assessments where processing poses high risk. The DPO is responsible.

Processing Sensitive Personal Data

NRHS will process sensitive personal data only when:

a) It is not revealed outside NRHS without consent

b) It pertains to staff or regular contacts

c) It involves publicly disclosed data

d) It is essential for:

  • Legal claims
  • Protection of vital interests

Transferring Personal Data Out of Kenya

NRHS will transfer data only when:

a) Adequate safeguards exist

b) It is necessary for:

  • Contracts
  • Public interest
  • Legal claims
  • Vital interests
  • Legitimate interests

Onward Reporting

NRHS will:

  • Report breaches within 72 hours
  • Inform affected data subjects promptly

Training and Awareness

NRHS will:

  • Train staff on this policy
  • Require induction training
  • Ensure partners comply

Partners

Partners must:

  • Report breaches within 48 hours
  • Comply with this policy

Roles and Responsibilities

All Staff Must:

a) Read, understand and comply with the policy
b) Report breaches promptly

Project Leads and Managers Must:

a) Ensure awareness
b) Conduct risk assessments

Director:

  • Ensure implementation
  • Promote data protection culture

Board:

  • Oversee governance
  • Ensure adequate systems

Independent Assurance

NRHS data protection procedures will undergo internal audits and may be externally reviewed.

Data Retention

Retention is based on legitimate needs with records maintained.

Review of this Policy

The NRHS Director is responsible for ensuring periodic review and Board approval.

Share:
Back to Blog

Related Posts

View All Posts »
Cultural Friday- 2025 December

Cultural Friday- 2025 December

On December 19th, Anza Mapema hosted a vibrant “Queerly Merry” Cultural Friday, marking the close of the year with record-breaking participation. Many...